How to configure chroot SFTP in Linux

There are some scenario where system admin wants only few users should be allowed to transfer files to Linux boxes not ssh. We can achieve this by setting up SFTP in chroot environment.

Background of SFTP & chroot :

SFTP stands for SSH File Transfer protocol or Secure File Transfer Protocol. SFTP provides file access, file transfer, and file management functionalities over any reliable data stream. When we configure SFTP in chroot environment , then only allowed users will be limited to their home directory , or we can say allowed users will be in jail like environment where they can’t even change their directory.

In article we will configure Chroot SFTP in RHEL 6.X & CentOS 6.X. We have one user ‘Jack’ , this users will be allowed to transfer files on linux box but no ssh access.

Note : if you want to change the default home directory of users , then use ‘-d’ option in useradd and usermod command and set the correct permissions.

Step:3 Now edit the config file “/etc/ssh/sshd_config”

# vi /etc/ssh/sshd_config
#comment out the below line and add a line like below
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

# add Below lines at the end of file
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp

Where :Match Group sftp_users – This indicates that the following lines will be matched only for users who belong to group sftp_usersChrootDirectory %h – This is the path(default user’s home directory) that will be used for chroot after the user is authenticated. So, for Jack, this will be /home/jack.ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.

I have followed the exact steps given in the tutorial, but I am getting error in uploading a file. I am able to downlaod any files.
sftp> put sftp_file
Uploading sftp_file to /upload/sftp_file
remote open(“/upload/sftp_file”): Permission denied
sftp>

1) All the commands above have absolute directory paths. This command make assumption that it’s in the directory /home.
2) There is a . DOT after jack ? Either a typo or means current directory. See 1.
3) Why upload/ is this just upload or /home/jack/upload ?

I have used . DOT after jack in chown command because i want to make this user both File Owner and Group Owner of upload folder. I have choose upload folder because i want jack user to upload its files and directory on upload directory only.

I’ve gone through this step by step, but when I try to log in using WinSCP, I get “Error listing directory ‘/upload’ Permission denied.
Error code: 3
Error message from server: Permission denied
Request code: 11

I can go into the folder, but I can’t list anything, and when I try to upload a file I get Permission denied.
Error code: 3
Error message from server: Permission denied
Request code: 3